relaylock uses the TCPREMOTEIP environment variable (set by tcpserver or
tcp_env) to determine the IP address of the remote server. When
spamdyke runs its configuration tests, it sets TCPREMOTEIP to 127.0.0.1.
relaylock doesn't seem to offer SMTP AUTH to that IP address.
Try this -- set TCPREMOTEIP to another value:
export TCPREMOTEIP=11.22.33.44
Then run the configuration test one more time. The SMTP AUTH test
should succeed.
I see this on my Plesk server when I test with your configuration file:
------------------------------------------------------------------------
spamdyke-3.1.1/spamdyke# cat config.txt
log-level=2
local-domains-file=/var/qmail/control/rcpthosts
max-recipients=5
idle-timeout-secs=60
graylist-dir=/var/qmail/gray
graylist-min-secs=300
graylist-max-secs=1814400
reject-empty-rdns
reject-unresolvable-rdns
reject-ip-in-cc-rdns
greeting-delay-secs=5
check-dnsrbl=zombie.dnsbl.sorbs.net
check-dnsrbl=dul.dnsbl.sorbs.net
check-dnsrbl=bogons.cymru.com
smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true
smtp-auth-command=/var/qmail/bin/cmd5checkpw /var/qmail/bin/true
local-domains-file=/var/qmail/control/rcpthosts
reject-missing-sender-mx
hostname=v31616.vierfpeile.de
tls-certificate-file=/var/qmail/control/servercert.pem
spamdyke-3.1.1/spamdyke# export TCPREMOTEIP=11.22.33.44
spamdyke-3.1.1/spamdyke# ./spamdyke -f config.txt --config-test
/var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd
/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw
/var/qmail/bin/true
spamdyke 3.1.1+TLS (C)2007 Sam Clippinger, samc (at) silence (dot) org
http://www.spamdyke.org/
Use -h for an option summary or see README.html for complete option details.
Testing configuration...
WARNING: Running tests as superuser root (0), group root (0). These test
results may not be valid if the mail server runs as another user.
INFO: Running command to test capabilities: /var/qmail/bin/relaylock
WARNING: command aborted abnormally: /var/qmail/bin/relaylock
SUCCESS: /var/qmail/bin/relaylock appears to offer TLS support. Continue
using the "tls-certificate-file" flag so spamdyke will be able to filter
all traffic.
WARNING: /var/qmail/bin/relaylock appears to offer SMTP AUTH support but
the "smtp-auth-command", "smtp-auth-command-encryption" and/or
"access-file" flags are in use. This is not necessary and needlessly
creates extra load on the server.
ERROR(graylist-dir): Unable to read graylist directory /var/qmail/gray:
No such file or directory
ERROR: Tests complete. Errors detected.
spamdyke-3.1.1/spamdyke#
------------------------------------------------------------------------
-- Sam Clippinger
Grimmi Meloni wrote:
> Hi Sam,
>
> thank you for your very detailed answer. In fact you were right about
> relaylock. I removed it during my tests and forgot to add it during the
> config-test. Anyway, I gave it another shot, and I'm still stuck with
> the same problem. I used loglevel 4 and got a warning saying:
>
> WARNING: command aborted abnormally: /var/qmail/bin/relaylock
>
> This line is shown directly above the TLS Success and the SMTP-Auth
> Warning messages of the test:
>
> SUCCESS: /var/qmail/bin/relaylock appears to offer TLS support. Continue
> using the "tls-certificate-file" flag so spamdyke will be able to filter
> all traffic.
> WARNING: /var/qmail/bin/relaylock does not appear to offer SMTP AUTH
> support. Please use the "smtp-auth-command" flag or the
> "smtp-auth-command-encryption" flag as well as the "access-file" and
> "local-domains-file" flags so spamdyke will be able to authenticate
> users and correctly allow them to relay.
>
> I decided to run strace and see what's happening. To me it seems like
> something goes wrong during the testing of the SMTP Auth capacities?
>
> --------- strace excerpt ---------
> [.... creation of the socket .....]
> [pid 19807] select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left
> {1200, 0})
> [pid 19807] write(1, "220 myserver.mydomain.com ESMTP\r\n", 26
> <unfinished ...>
> [pid 19806] <... select resumed> ) = 1 (in [5], left {29, 926000})
> [pid 19807] <... write resumed> ) = 26
> [pid 19806] read(5, "220 myserver.mydomain.com ESMTP\r\n", 4095) = 26
> [pid 19806] time(NULL) = 1194975400
> [pid 19806] select(5, [], [4], NULL, {30, 0}) = 1 (out [4], left {30, 0})
> [pid 19806] write(4, "EHLO localhost\r\n", 16) = 16
> [pid 19806] time(NULL) = 1194975400
> [pid 19806] select(8, [5 7], [], NULL, {30, 0} <unfinished ...>
> [pid 19807] select(1, [0], NULL, NULL, {1200, 0}) = 1 (in [0], left
> {1200, 0})
> [pid 19807] read(0, "EHLO localhost\r\n", 1024) = 16
> [pid 19807] select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left
> {1200, 0})
> [pid 19807] write(1, "250-myserver.mydomain.com\r\n250-STARTTLS"..., 64
> <unfinished ...>
> [pid 19806] <... select resumed> ) = 1 (in [5], left {29, 999000})
> [pid 19807] <... write resumed> ) = 64
> [pid 19806] read(5, "250-myserver.mydomain.com\r\n250-STARTTLS"...,
> 4069) = 64
> [pid 19806] time(NULL) = 1194975400
> [pid 19806] select(5, [], [4], NULL, {30, 0}) = 1 (out [4], left {30, 0})
> [pid 19806] write(4, "QUIT\r\n", 6) = 6
> [pid 19806] time(NULL) = 1194975400
> [pid 19806] select(8, [5 7], [], NULL, {30, 0} <unfinished ...>
> [pid 19807] select(1, [0], NULL, NULL, {1200, 0}) = 1 (in [0], left
> {1200, 0})
> [pid 19807] read(0, "QUIT\r\n", 1024) = 6
> [pid 19807] select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left
> {1200, 0})
> [pid 19807] write(1, "221 myserver.mydomain.com\r\n", 20 <unfinished ...>
> [pid 19806] <... select resumed> ) = 1 (in [5], left {30, 0})
> [pid 19807] <... write resumed> ) = 20
> [pid 19806] read(5, "221 myserver.mydomain.com\r\n", 4005) = 20
> [pid 19806] time(NULL) = 1194975400
> [pid 19806] select(8, [5 7], [], NULL, {30, 0} <unfinished ...>
> [pid 19807] exit_group(0) = ?
> Process 19807 detached
> <... select resumed> ) = 1 (in [5], left {29, 999000})
> read(5, "", 3985) = 0
> close(5) = 0
> time(NULL) = 1194975400
> select(8, [7], [], NULL, {30, 0}) = 1 (in [7], left {30, 0})
> read(7, "", 3985) = 0
> close(7) = 0
> time(NULL) = 1194975400
> close(4) = 0
> wait4(19807, 0x7fbfff0a5c, WNOHANG, NULL) = 0
> kill(19807, SIGKILL) = 0
> write(2, "WARNING: command aborted abnorma"..., 61WARNING: command
> aborted abnormally: /var/qmail/bin/relaylock) = 61
> --------- strace excerpt ---------
>
> I don't know if it is the right approach to the problem, but maybe it
> will give you some clue?
>
> I also tried to imitate what I see in the log above by telnetting my
> system manually, because the strace only shows the first few bytes of
> each read operation:
>
> myserver:~ # telnet localhost 25
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 myserver.mydomain.com ESMTP
> EHLO localhost
> 250-myserver.mydomain.com
> 250-STARTTLS
> 250-PIPELINING
> 250 8BITMIME
> QUIT
> 221 myserver.mydomain.com
> Connection closed by foreign host.
>
> I'm far from being a SMTP crack, but shouldn't there be a line
> announcing my SMTP_AUTH capabilities as well?
>
> bye, Michael
>
> Sam Clippinger wrote:
>> Plesk is such a queer duck. I like its control panel but it sure does
>> some screwy things to the system configuration.
>>
>> I see something in your spamdyke configuration file that could be
>> causing the SMTP AUTH problem. You have the following line commented out:
>> smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true
>> /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
>> This is actually two commands -- smtp_auth and cmd5checkpw. They should
>> be given on two separate lines and they should offer encrypted
>> authentication:
>> smtp-auth-command-encryption=/var/qmail/bin/smtp_auth
>> /var/qmail/bin/true
>> smtp-auth-command-encryption=/var/qmail/bin/cmd5checkpw
>> /var/qmail/bin/true
>> I suspect the authentication is failing because cmd5checkpw is the
>> program that can actually process your credentials but it's not being
>> started (because your configuration file lists it as a parameter to
>> smtp_auth).
>>
>> However, you're correct that you don't need it with 3.0.0 and later --
>> spamdyke now automatically detects successful authentication without
>> running the commands itself.
>>
>> Next, your "config-test" is giving strange results because you probably
>> used this command:
>> spamdyke -f /etc/spamdyke.conf /var/qmail/bin/qmail-smtpd
>> Plesk doesn't patch qmail-smtpd to provide SMTP AUTH, so spamdyke can't
>> see it. Instead, Plesk uses relaylock for that purpose. You should
>> really test with:
>> spamdyke -f /etc/spamdyke.conf /var/qmail/bin/relaylock
>> /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true
>> /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
>> With that command line, the SMTP AUTH banners will appear and spamdyke
>> won't complain about it any more.
>>
>> So in summary, you can either use Plesk's relaylock OR you can use
>> spamdyke's "smtp-auth-command-encryption" directive. Using both is
>> unnecessary and wastes server resources. If you have some users (or
>> servers) that need to relay without authenticating, continue using
>> relaylock. If you don't, create an empty access file and use spamdyke's
>> "smtp-auth-command-encryption" and "access-file" instead of relaylock.
>> It's a bit more efficient.
>>
>> To answer your last question about qmail-smtpd's command line, it
>> doesn't have one by default. Most of the time, when you see command
>> line options passed to qmail-smtpd, you're looking at a patched version
>> of qmail-smtpd. (In Plesk's case, the extra options are not parameters
>> to qmail-smtpd, they're actually parameters to relaylock.) Typically,
>> any parameters are commands to process SMTP AUTH attempts.
>>
>> The authentication commands always come in pairs -- the auth command and
>> a "true" command. This is a holdover from DJB's original
>> "checkpassword" program, which runs the second command if the
>> authentication is successful. I think his intent was that successful
>> authentications could have side-effects, such as logging or unlocking
>> resources. The password-checking program could be generic (i.e. only
>> check the password) and the second command could perform the
>> side-effect. In practice, this hasn't happened. People have simply
>> written password-checking programs that perform the side-effects
>> internally. "true" is used as the side-effect command because it's
>> small and fast.
>>
>> For more information on "checkpassword" (but not much more), see DJB's site:
>> http://cr.yp.to/checkpwd/interface.html
>>
>> -- Sam Clippinger
>>
>> Grimmi Meloni wrote:
>>
>>> Hi,
>>>
>>> I've been using spamdyke for about 2 weeks now, and I'm quite satisfied
>>> with the results. Thanks for this great tool.
>>>
>>> As the subject states, I'm running a Plesk 8.1 based system. Today I
>>> upgraded from the 2.6.3 version, to the 3.1.0.
>>>
>>> The good news is: I got everything working so far.
>>>
>>> But what made me curious are two things:
>>>
>>> With the old 2.6.3 I could use the --smtp-auth-command option, with the
>>> new 3.1.0 this does not work anymore. "Not working anymore" in this case
>>> means, that I have to remove this option or my client gets an error
>>> message. In the logs it looks like authentication is tried twice. Really
>>> weired, but since Plesk delivers a SMTP_AUTH capable server, this is no
>>> problem - at least my relaying tests all failed when not authenticated.
>>> So I think I'm still good.
>>>
>>> During the trial and error phase of this, I ran the --config-test option
>>> of spamdyke. Although smtp authentication works, the config-test gives
>>> me this warning:
>>>
>>> WARNING: /var/qmail/bin/qmail-smtpd does not appear to offer SMTP AUTH
>>> support. Please use the "smtp-auth-command" flag or the
>>> "smtp-auth-command-encryption" flag as well as the "access-file" and
>>> "local-domains-file" flags so spamdyke will be able to authenticate
>>> users and correctly allow them to relay.
>>>
>>> Now I'm wondering why this warning occurs at all. Is it a
>>> misconfiguration on my part, or just the config-test failing to detect
>>> the SMTP AUTH capabilities of my qmail_smtpd?
>>>
>>> bye, Michael
>>>
>>> P.S.: Although offtopic: Can anybody point me to a place where the
>>> commandline of qmail_smtpd is explained? Basically I would like to know,
>>> why /var/qmail/bin/true has to be in the commandline twice, or even
>>> better, what qmail_smtpd in general does with it's parameters? Thanks.
>>>
>>> ------------- my spamdyke.conf ------------
>>> log-level=2
>>> local-domains-file=/var/qmail/control/rcpthosts
>>> max-recipients=5
>>> idle-timeout-secs=60
>>> graylist-dir=/var/qmail/gray
>>> graylist-min-secs=300
>>> graylist-max-secs=1814400
>>> reject-empty-rdns
>>> reject-unresolvable-rdns
>>> reject-ip-in-cc-rdns
>>> greeting-delay-secs=5
>>> check-dnsrbl=zombie.dnsbl.sorbs.net
>>> check-dnsrbl=dul.dnsbl.sorbs.net
>>> check-dnsrbl=bogons.cymru.com
>>> #smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true
>>> /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
>>> local-domains-file=/var/qmail/control/rcpthosts
>>> reject-missing-sender-mx
>>> hostname=v31616.vierfpeile.de
>>> tls-certificate-file=/var/qmail/control/servercert.pem
>>> ---------------end my spamdyke.conf------------
>>>
>>>
>>> ------------ my xinetd.d config for smtp_psa ---------
>>> server = /var/qmail/bin/tcp-env
>>> server_args = -Rt0 /usr/local/bin/spamdyke -f
>>> /etc/spamdyke.conf /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd
>>> /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw
>>> /var/qmail/bin/true
>>> ------------ my xinetd.d config for smtp_psa ---------
>>> _______________________________________________
>>> spamdyke-users mailing list
>>> [email protected]
>>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
>>>
>> _______________________________________________
>> spamdyke-users mailing list
>> [email protected]
>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
>>
>
> _______________________________________________
> spamdyke-users mailing list
> [email protected]
> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________
spamdyke-users mailing list
[email protected]
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
